This invention relates to methods and apparatus for synchronizing access control in a web server.
Web servers are computer systems that support web sites. Web sites typically include a number of resources that are used to build the web site. Files are one example of a resource that can be used to build a web site. It is highly desirable to protect the content of and access to a web site so that unauthorized individuals cannot access and manipulate web site resources.
Various security schemes have evolved to give web site administrators the ability to protect the resources on their web sites. Often times more than one security scheme can be used in conjunction with another, and often times the different security schemes are set at different places within a system. For example, FIG. 1 shows an exemplary system that can include different security schemes that can be set from different places within the system. These security schemes are not synchronized and because of this, problems can arise for both the system administrator and product service engineers who might be called upon to assist a system administrator when problems arise. In this example, a server 10 includes a file system 11, an operating system 12 that can be used to operate on the file system, and an internet information server 13, such as Microsoft""s Internet Information Service that manages internet access for a plurality of different clients 18, 20. In this example, file system 11 has a file system access controller 14 that is used by a system administrator to set security access for the file system. For example, read and write access can be set through the file system access controller 14 and specifies what privileges the various clients of the system have. Additionally, a web site access controller 16 is provided and is used by the internet information server 13 to determine which of the various clients can access a particular web site and what operations are allowed on particular resources that are accessible through the web site. Here too, read and write access can be set for particular files. The security settings that are set by the file system access controller 14 can, in some instances, conflict with the security settings that are set by the web site access controller 16. For example, if the file system access controller sets a xe2x80x9cread onlyxe2x80x9d setting on a particular file (e.g. xe2x80x9cfilexe2x80x9d), and the web site access controller 16 sets a xe2x80x9cread and writexe2x80x9d setting for the same file, then when a client attempts to write to xe2x80x9chttp://www.file.comxe2x80x9d, the request will fail because the file system access controller 14 has placed a more restrictive security setting on the particular file than the web site access controller 16. This is a very elementary examplexe2x80x94but is one that illustrates just how easily unsynchronized, inconsistent security settings can arise. These inconsistencies can lead to customer dissatisfaction and increased time for support calls to assist the customer in sorting out the inconsistent security settings. Administrators of secure products can become frustrated and support costs can escalate when any product has more than one tool or scheme to maintain and/or enforce security policy, such as access control or authentication.
This invention arose out of concerns associated with providing a simple, easy-to-use tool for synchronizing access control in a Web server that includes a plurality of different access control mechanisms.
Methods and apparatus for synchronizing access control in a Web server are described. In one embodiment, a plurality of security scenarios are defined and each scenario has one or more security settings associated with it. The security settings are associated with a plurality of access control mechanisms that control access to a web server and/or its resources. One or more of the security settings for a plurality of the access control mechanisms are automatically set when a security scenario is selected by a user. Thus, the security settings for a number of different access control mechanism can be set contemporaneously by selecting one security scenario. This avoids having to individually set security settings for each of the access control mechanisms and can ensure that the individual settings are proper.
Among the various access control mechanisms that can be set by selection of an appropriate security scenario are: authentications for authenticating various users, Web permissions that define what particular operations are allowed on particular resources, access restrictions that can permit or deny access to a Web site based upon an identification that is associated with a particular user, and access control lists (ACLs) that include user information and privileges that are associated with a particular resource.
In addition, in some embodiments third party security access control mechanisms that control access to resources that are not managed or controlled by the web server can be set.
Further, in some embodiments various locations within a hierarchical name space can inherit the security settings from one or more upstream locations in the hierarchical name space.